Mapping AD groups, contains other groups, to roles

Opensearch 2.3

Hello friends! Have the same configuration:
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- 172.29.0.1:389
bind_dn: svc@domain.com
password: Topaz123$
rolebase: ‘OU=roles,OU=ops,DC=domain,DC=com’
rolesearch: ‘(member={0})’
userroleattribute: null
userrolename: disabled
rolename: cn
resolve_nested_roles: true
userbase: ‘OU=users,DC=domain,DC=com’
usersearch: ‘(sAMAccountName={0})’
skip_users:
- admin

It’s a problem: I have OU “roles” with groups “admins”, “operators”, etc. These groups contain other groups that already contain users from other OUs. If I write rolebase: ‘OU=roles,OU=ops,DC=domain,DC=com’, the configuration cannot read users located in other OUs. If i write rolebase: ‘DC=domain,DC=com’, users can log in and receive roles, but all of their groups are also mapped to the backend roles, which takes a long time to sign in.